There is no description at this point.
rule win_quickheal_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.quickheal." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quickheal" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7ce2 b814010000 8a8c28f8feffff 888c0484000000 40 3d30010000 72ea } // n = 7, score = 100 // 7ce2 | jl 0xffffffe4 // b814010000 | mov eax, 0x114 // 8a8c28f8feffff | mov cl, byte ptr [eax + ebp - 0x108] // 888c0484000000 | mov byte ptr [esp + eax + 0x84], cl // 40 | inc eax // 3d30010000 | cmp eax, 0x130 // 72ea | jb 0xffffffec $sequence_1 = { 3bf3 0f840b030000 8d4e02 8d542424 51 } // n = 5, score = 100 // 3bf3 | cmp esi, ebx // 0f840b030000 | je 0x311 // 8d4e02 | lea ecx, [esi + 2] // 8d542424 | lea edx, [esp + 0x24] // 51 | push ecx $sequence_2 = { ff15???????? 8d542410 8d8424fc060000 52 6819000200 53 } // n = 6, score = 100 // ff15???????? | // 8d542410 | lea edx, [esp + 0x10] // 8d8424fc060000 | lea eax, [esp + 0x6fc] // 52 | push edx // 6819000200 | push 0x20019 // 53 | push ebx $sequence_3 = { 49 51 6a06 52 ffd5 83c408 } // n = 6, score = 100 // 49 | dec ecx // 51 | push ecx // 6a06 | push 6 // 52 | push edx // ffd5 | call ebp // 83c408 | add esp, 8 $sequence_4 = { 2bce 51 56 50 56 e8???????? 83c410 } // n = 7, score = 100 // 2bce | sub ecx, esi // 51 | push ecx // 56 | push esi // 50 | push eax // 56 | push esi // e8???????? | // 83c410 | add esp, 0x10 $sequence_5 = { 8d445d0c 83c408 33f6 6683f93b } // n = 4, score = 100 // 8d445d0c | lea eax, [ebp + ebx*2 + 0xc] // 83c408 | add esp, 8 // 33f6 | xor esi, esi // 6683f93b | cmp cx, 0x3b $sequence_6 = { 83c102 3bc6 7cf0 5f } // n = 4, score = 100 // 83c102 | add ecx, 2 // 3bc6 | cmp eax, esi // 7cf0 | jl 0xfffffff2 // 5f | pop edi $sequence_7 = { 7207 885101 04fc eb04 c6410100 3c02 7209 } // n = 7, score = 100 // 7207 | jb 9 // 885101 | mov byte ptr [ecx + 1], dl // 04fc | add al, 0xfc // eb04 | jmp 6 // c6410100 | mov byte ptr [ecx + 1], 0 // 3c02 | cmp al, 2 // 7209 | jb 0xb $sequence_8 = { f7d1 49 8dbc2414010000 8bd1 83c9ff f2ae a1???????? } // n = 7, score = 100 // f7d1 | not ecx // 49 | dec ecx // 8dbc2414010000 | lea edi, [esp + 0x114] // 8bd1 | mov edx, ecx // 83c9ff | or ecx, 0xffffffff // f2ae | repne scasb al, byte ptr es:[edi] // a1???????? | $sequence_9 = { 52 ffd7 85c0 7418 8b442410 c744241404010000 50 } // n = 7, score = 100 // 52 | push edx // ffd7 | call edi // 85c0 | test eax, eax // 7418 | je 0x1a // 8b442410 | mov eax, dword ptr [esp + 0x10] // c744241404010000 | mov dword ptr [esp + 0x14], 0x104 // 50 | push eax condition: 7 of them and filesize < 553984 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY